/* ***** BEGIN LICENSE BLOCK *****
 * Version: MPL 1.1/GPL 2.0/LGPL 2.1
 *
 * The contents of this file are subject to the Mozilla Public License Version
 * 1.1 (the "License"); you may not use this file except in compliance with
 * the License. You may obtain a copy of the License at
 * http://www.mozilla.org/MPL/
 *
 * Software distributed under the License is distributed on an "AS IS" basis,
 * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
 * for the specific language governing rights and limitations under the
 * License.
 *
 * The Original Code is the PKIX-C library.
 *
 * The Initial Developer of the Original Code is
 * Sun Microsystems, Inc.
 * Portions created by the Initial Developer are
 * Copyright 2004-2007 Sun Microsystems, Inc.  All Rights Reserved.
 *
 * Contributor(s):
 *   Sun Microsystems, Inc.
 *
 * Alternatively, the contents of this file may be used under the terms of
 * either the GNU General Public License Version 2 or later (the "GPL"), or
 * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
 * in which case the provisions of the GPL or the LGPL are applicable instead
 * of those above. If you wish to allow use of your version of this file only
 * under the terms of either the GPL or the LGPL, and not to allow others to
 * use your version of this file under the terms of the MPL, indicate your
 * decision by deleting the provisions above and replace them with the notice
 * and other provisions required by the GPL or the LGPL. If you do not delete
 * the provisions above, a recipient may use your version of this file under
 * the terms of any one of the MPL, the GPL or the LGPL.
 *
 * ***** END LICENSE BLOCK ***** */
/*
 * test_policychecker.c
 *
 * Test Policy Checking
 *
 */

#include "testutil.h"
#include "testutil_nss.h"

#define PKIX_TEST_MAX_CERTS     10

static void *plContext = NULL;

static
void printUsage(char *testname) {
        char *fmt =
                "USAGE: %s testname"
                " [ENE|EE] \"{OID[:OID]*}\" [A|E|P] cert [cert]*\n"
                "(The quotes are needed around the OID argument for dbx.)\n"
                "(The optional arg A indicates initialAnyPolicyInhibit.)\n"
                "(The optional arg E indicates initialExplicitPolicy.)\n"
                "(The optional arg P indicates initialPolicyMappingInhibit.)\n";
        printf(fmt, testname);
}

static
void printUsageMax(PKIX_UInt32 numCerts)
{
        printf("\nUSAGE ERROR: number of certs %d exceed maximum %d\n",
                numCerts, PKIX_TEST_MAX_CERTS);
}

static
PKIX_List *policySetParse(char *policyString)
{
        char *p = NULL;
        char *oid = NULL;
        char c = '\0';
        PKIX_Boolean validString = PKIX_FALSE;
        PKIX_PL_OID *plOID = NULL;
        PKIX_List *policySet = NULL;

        PKIX_TEST_STD_VARS();

        p = policyString;

        /*
         * There may or may not be quotes around the initial-policy-set
         * string. If they are omitted, dbx will strip off the curly braces.
         * If they are included, dbx will strip off the quotes, but if you
         * are running directly from a script, without dbx, the quotes will
         * not be stripped. We need to be able to handle both cases.
         */
        if (*p == '"') {
                p++;
        }

        if ('{' != *p++) {
                return (NULL);
        }
        oid = p;

        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_Create(&policySet, plContext));

        /* scan to the end of policyString */
        while (!validString) {
                /* scan to the end of the current OID string */
                c = *oid;
                while ((c != '\0') && (c != ':') && (c != '}')) {
                        c = *++oid;
                }

                if ((c != ':') || (c != '}')) {
                        *oid = '\0'; /* store a null terminator */
                        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_OID_Create
                                (p, &plOID, plContext));

                        PKIX_TEST_EXPECT_NO_ERROR
                                (PKIX_List_AppendItem
                                (policySet,
                                (PKIX_PL_Object *)plOID,
                                plContext));

                        PKIX_TEST_DECREF_BC(plOID);
                        plOID = NULL;
                        if (c == '}') {
                                /*
                                * Any exit but this one means
                                * we were given a badly-formed string.
                                */
                                validString = PKIX_TRUE;
                        }
                        p = ++oid;
                }
        }


cleanup:
        if (!validString) {
                PKIX_TEST_DECREF_AC(plOID);
                PKIX_TEST_DECREF_AC(policySet);
                policySet = NULL;
        }

        PKIX_TEST_RETURN();

        return (policySet);
}

/*
 * FUNCTION: treeToStringHelper
 *  This function obtains the string representation of a PolicyNode
 *  Tree and compares it to the expected value.
 * PARAMETERS:
 *  "parent" - a PolicyNode, the root of a PolicyNodeTree;
 *      must be non-NULL.
 *  "expected" - the desired string.
 * THREAD SAFETY:
 *  Thread Safe
 *
 *  Multiple threads can safely call this function without worrying
 *  about conflicts, even if they're operating on the same object.
 * RETURNS:
 *  Nothing.
 */
static void
treeToStringHelper(PKIX_PolicyNode *parent, char *expected)
{
        PKIX_PL_String *stringRep = NULL;
        char *actual = NULL;
        PKIX_TEST_STD_VARS();

        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString
                        ((PKIX_PL_Object *)parent, &stringRep, plContext));

        actual = PKIX_String2ASCII(stringRep, plContext);
        if (actual == NULL){
                pkixTestErrorMsg = "PKIX_String2ASCII Failed";
                goto cleanup;
        }

        if (PL_strcmp(actual, expected) != 0){
                testError("unexpected mismatch");
                (void) printf("Actual value:\t%s\n", actual);
                (void) printf("Expected value:\t%s\n", expected);
        }

cleanup:

        PKIX_PL_Free(actual, plContext);

        PKIX_TEST_DECREF_AC(stringRep);

        PKIX_TEST_RETURN();
}

static
void testPass(char *dirName, char *goodInput, char *diffInput, char *dateAscii){

        PKIX_List *chain = NULL;
        PKIX_ValidateParams *valParams = NULL;
        PKIX_ValidateResult *valResult = NULL;

        PKIX_TEST_STD_VARS();

        subTest("Basic-Common-Fields <pass>");
        /*
         * Tests the Expiration, NameChaining, and Signature Checkers
         */

        chain = createCertChain(dirName, goodInput, diffInput, plContext);

        valParams = createValidateParams
                (dirName,
                goodInput,
                diffInput,
                dateAscii,
                NULL,
                PKIX_FALSE,
                PKIX_FALSE,
                PKIX_FALSE,
                PKIX_FALSE,
                chain,
                plContext);

        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateChain
                                    (valParams, &valResult, NULL, plContext));

cleanup:

        PKIX_TEST_DECREF_AC(chain);
        PKIX_TEST_DECREF_AC(valParams);
        PKIX_TEST_DECREF_AC(valResult);

        PKIX_TEST_RETURN();
}

static
void testNistTest1(char *dirName)
{
#define PKIX_TEST_NUM_CERTS     2
        char *trustAnchor =
                "TrustAnchorRootCertificate.crt";
        char *intermediateCert =
                "GoodCACert.crt";
        char *endEntityCert =
                "ValidCertificatePathTest1EE.crt";
        char *certNames[PKIX_TEST_NUM_CERTS];
        char *asciiAnyPolicy = "2.5.29.32.0";
        PKIX_PL_Cert *certs[PKIX_TEST_NUM_CERTS] = { NULL, NULL };

        PKIX_ValidateParams *valParams = NULL;
        PKIX_ValidateResult *valResult = NULL;
        PKIX_List *chain = NULL;
        PKIX_PL_OID *anyPolicyOID = NULL;
        PKIX_List *initialPolicies = NULL;
        char *anchorName = NULL;

        PKIX_TEST_STD_VARS();

        subTest("testNistTest1: Creating the cert chain");
        /*
         * Create a chain, but don't include the first certName.
         * That's the anchor, and is supplied separately from
         * the chain.
         */
        certNames[0] = intermediateCert;
        certNames[1] = endEntityCert;
        chain = createCertChainPlus
                (dirName, certNames, certs, PKIX_TEST_NUM_CERTS, plContext);

        subTest("testNistTest1: Creating the Validate Parameters");
        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_OID_Create
                (asciiAnyPolicy, &anyPolicyOID, plContext));
        PKIX_TEST_EXPECT_NO_ERROR
                (PKIX_List_Create(&initialPolicies, plContext));
        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
                (initialPolicies, (PKIX_PL_Object *)anyPolicyOID, plContext));
        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_SetImmutable
                (initialPolicies, plContext));

        valParams = createValidateParams
                (dirName,
                trustAnchor,
                NULL,
                NULL,
                initialPolicies,
                PKIX_FALSE,
                PKIX_FALSE,
                PKIX_FALSE,
                PKIX_FALSE,
                chain,
                plContext);

        subTest("testNistTest1: Validating the chain");
        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateChain
                (valParams, &valResult, NULL, plContext));


cleanup:

        PKIX_PL_Free(anchorName, plContext);

        PKIX_TEST_DECREF_AC(anyPolicyOID);
        PKIX_TEST_DECREF_AC(initialPolicies);
        PKIX_TEST_DECREF_AC(valParams);
        PKIX_TEST_DECREF_AC(valResult);
        PKIX_TEST_DECREF_AC(chain);

        PKIX_TEST_RETURN();
}

static
void testNistTest2(char *dirName)
{
#define PKIX_TEST_NUM_CERTS     2
        char *trustAnchor =
                "TrustAnchorRootCertificate.crt";
        char *intermediateCert =
                "GoodCACert.crt";
        char *endEntityCert =
                "ValidCertificatePathTest1EE.crt";
        char *certNames[PKIX_TEST_NUM_CERTS];
        char *asciiNist1Policy = "2.16.840.1.101.3.2.1.48.1";
        PKIX_PL_Cert *certs[PKIX_TEST_NUM_CERTS] = { NULL, NULL };

        PKIX_ValidateParams *valParams = NULL;
        PKIX_ValidateResult *valResult = NULL;
        PKIX_List *chain = NULL;
        PKIX_PL_OID *Nist1PolicyOID = NULL;
        PKIX_List *initialPolicies = NULL;
        char *anchorName = NULL;

        PKIX_TEST_STD_VARS();

        subTest("testNistTest2: Creating the cert chain");
        /*
         * Create a chain, but don't include the first certName.
         * That's the anchor, and is supplied separately from
         * the chain.
         */
        certNames[0] = intermediateCert;
        certNames[1] = endEntityCert;
        chain = createCertChainPlus
                (dirName, certNames, certs, PKIX_TEST_NUM_CERTS, plContext);

        subTest("testNistTest2: Creating the Validate Parameters");
        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_OID_Create
                (asciiNist1Policy, &Nist1PolicyOID, plContext));
        PKIX_TEST_EXPECT_NO_ERROR
                (PKIX_List_Create(&initialPolicies, plContext));
        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_AppendItem
                (initialPolicies, (PKIX_PL_Object *)Nist1PolicyOID, plContext));
        PKIX_TEST_EXPECT_NO_ERROR(PKIX_List_SetImmutable
                (initialPolicies, plContext));

        valParams = createValidateParams
                (dirName,
                trustAnchor,
                NULL,
                NULL,
                initialPolicies,
                PKIX_FALSE,
                PKIX_FALSE,
                PKIX_FALSE,
                PKIX_FALSE,
                chain,
                plContext);

        subTest("testNistTest2: Validating the chain");
        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateChain
                (valParams, &valResult, NULL, plContext));


cleanup:

        PKIX_PL_Free(anchorName, plContext);

        PKIX_TEST_DECREF_AC(Nist1PolicyOID);
        PKIX_TEST_DECREF_AC(initialPolicies);
        PKIX_TEST_DECREF_AC(valParams);
        PKIX_TEST_DECREF_AC(valResult);
        PKIX_TEST_DECREF_AC(chain);

        PKIX_TEST_RETURN();
}

static void printValidPolicyTree(PKIX_ValidateResult *valResult)
{
        PKIX_PolicyNode* validPolicyTree = NULL;
        PKIX_PL_String *treeString = NULL;

        PKIX_TEST_STD_VARS();
        PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateResult_GetPolicyTree
                (valResult, &validPolicyTree, plContext));
        if (validPolicyTree) {
                PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString
                        ((PKIX_PL_Object*)validPolicyTree,
                        &treeString,
                        plContext));
                (void) printf("validPolicyTree is\n\t%s\n",
                        treeString->escAsciiString);
        } else {
                (void) printf("validPolicyTree is NULL\n");
        }

cleanup:

        PKIX_TEST_DECREF_AC(validPolicyTree);
        PKIX_TEST_DECREF_AC(treeString);

        PKIX_TEST_RETURN();
}

int test_policychecker(int argc, char *argv[])
{

        PKIX_Boolean initialPolicyMappingInhibit = PKIX_FALSE;
        PKIX_Boolean initialAnyPolicyInhibit = PKIX_FALSE;
        PKIX_Boolean initialExplicitPolicy = PKIX_FALSE;
        PKIX_Boolean expectedResult = PKIX_FALSE;
        PKIX_UInt32 chainLength = 0;
        PKIX_UInt32 initArgs = 0;
        PKIX_UInt32 firstCert = 0;
        PKIX_UInt32 i = 0;
        PKIX_Int32  j = 0;
        PKIX_UInt32 actualMinorVersion;
        PKIX_ProcessingParams *procParams = NULL;
        char *firstTrustAnchor = "yassir2yassir";
        char *secondTrustAnchor = "yassir2bcn";
        char *dateAscii = "991201000000Z";
        PKIX_ValidateParams *valParams = NULL;
        PKIX_ValidateResult *valResult = NULL;
        PKIX_List *userInitialPolicySet = NULL; /* List of PKIX_PL_OID */
        char *certNames[PKIX_TEST_MAX_CERTS];
        PKIX_PL_Cert *certs[PKIX_TEST_MAX_CERTS];
        PKIX_List *chain = NULL;
        PKIX_Error *validationError = NULL;
	PKIX_VerifyNode *verifyTree = NULL;
	PKIX_PL_String *verifyString = NULL;
        char *dirName = NULL;
        char *dataCentralDir = NULL;
        char *anchorName = NULL;

        PKIX_TEST_STD_VARS();

        PKIX_TEST_EXPECT_NO_ERROR(
            PKIX_PL_NssContext_Create(0, PKIX_FALSE, NULL, &plContext));

        /*
         * Perform hard-coded tests if no command line args.
         * If command line args are provided, they must be:
         * arg[1]: test name
         * arg[2]: "ENE" or "EE", for "expect no error" or "expect error"
         * arg[3]: directory for certificates
         * arg[4]: user-initial-policy-set, consisting of braces
         *      containing zero or more OID sequences, separated by commas
         * arg[5]: (optional) "E", indicating initialExplicitPolicy
         * arg[firstCert]: the path and filename of the trust anchor certificate
         * arg[firstCert+1..(n-1)]: successive certificates in the chain
         * arg[n]: the end entity certificate
         *
         * Example: test_policychecker test1EE ENE
         *      {2.5.29.32.0,2.5.29.32.3.6} Anchor CA EndEntity
         */

        dirName = argv[3+j];
        dataCentralDir = argv[4+j];

        if (argc <= 5 || ((6 == argc) && (j))) {

                testPass
                    (dataCentralDir,
                    firstTrustAnchor,
                    secondTrustAnchor,
                    dateAscii);

                testNistTest1(dirName);

                testNistTest2(dirName);

                goto cleanup;
        }

        if (argc < (7 + j)) {
                printUsage(argv[0]);
                pkixTestErrorMsg = "Invalid command line arguments.";
                goto cleanup;
        }

        if (PORT_Strcmp(argv[2+j], "ENE") == 0) {
                expectedResult = PKIX_TRUE;
        } else if (PORT_Strcmp(argv[2+j], "EE") == 0) {
                expectedResult = PKIX_FALSE;
        } else {
                printUsage(argv[0]);
                pkixTestErrorMsg = "Invalid command line arguments.";
                goto cleanup;
        }

        userInitialPolicySet = policySetParse(argv[5+j]);
        if (!userInitialPolicySet) {
                printUsage(argv[0]);
                pkixTestErrorMsg = "Invalid command line arguments.";
                goto cleanup;
        }

        for (initArgs = 0; initArgs < 3; initArgs++) {
                if (PORT_Strcmp(argv[6+j+initArgs], "A") == 0) {
                        initialAnyPolicyInhibit = PKIX_TRUE;
                } else if (PORT_Strcmp(argv[6+j+initArgs], "E") == 0) {
                        initialExplicitPolicy = PKIX_TRUE;
                } else if (PORT_Strcmp(argv[6+j+initArgs], "P") == 0) {
                        initialPolicyMappingInhibit = PKIX_TRUE;
                } else {
                        break;
                }
        }

        firstCert = initArgs + j + 6;
        chainLength = argc - (firstCert + 1);
        if (chainLength > PKIX_TEST_MAX_CERTS) {
                printUsageMax(chainLength);
                pkixTestErrorMsg = "Invalid command line arguments.";
                goto cleanup;
        }

        /*
         * Create a chain, but don't include the first certName.
         * That's the anchor, and is supplied separately from
         * the chain.
         */
        for (i = 0; i < chainLength; i++) {

                certNames[i] = argv[i + (firstCert + 1)];
                certs[i] = NULL;
        }
        chain = createCertChainPlus
                (dirName, certNames, certs, chainLength, plContext);

        subTest(argv[1+j]);

        valParams = createValidateParams
                (dirName,
                argv[firstCert],
                NULL,
                NULL,
                userInitialPolicySet,
                initialPolicyMappingInhibit,
                initialAnyPolicyInhibit,
                initialExplicitPolicy,
                PKIX_FALSE,
                chain,
                plContext);

        if (expectedResult == PKIX_TRUE) {
                subTest("   (expecting successful validation)");

                PKIX_TEST_EXPECT_NO_ERROR(PKIX_ValidateChain
                        (valParams, &valResult, &verifyTree, plContext));

                printValidPolicyTree(valResult);

        } else {
                subTest("   (expecting validation to fail)");
                validationError = PKIX_ValidateChain
                        (valParams, &valResult, &verifyTree, plContext);
                if (!validationError) {
                        printValidPolicyTree(valResult);
                        pkixTestErrorMsg = "Should have thrown an error here.";
                }
                PKIX_TEST_DECREF_BC(validationError);
        }

        PKIX_TEST_EXPECT_NO_ERROR(PKIX_PL_Object_ToString
                ((PKIX_PL_Object*)verifyTree, &verifyString, plContext));
        (void) printf("verifyTree is\n%s\n", verifyString->escAsciiString);

cleanup:

        PKIX_PL_Free(anchorName, plContext);

        PKIX_TEST_DECREF_AC(verifyString);
        PKIX_TEST_DECREF_AC(verifyTree);
        PKIX_TEST_DECREF_AC(userInitialPolicySet);
        PKIX_TEST_DECREF_AC(chain);
        PKIX_TEST_DECREF_AC(valParams);
        PKIX_TEST_DECREF_AC(valResult);
        PKIX_TEST_DECREF_AC(validationError);

        PKIX_Shutdown(plContext);

        PKIX_TEST_RETURN();

        endTests("PolicyChecker");

        return (0);
}
